b'              Audit of the DAISY/CHICO Component Application of the \n\n                  RRA Benefit Payment Major Application System \n\n                        Audit Report No. 07-02, March 9, 2007 \n\n\n                                    INTRODUCTION \n\n\nThis report presents the results of the Office of Inspector General\xe2\x80\x99s (OIG) audit of the\nDaily Activity Input System/Checkwriting Integrated Computer Operation\n(DAISY/CHICO) system which is used to process payments issued under the Railroad\nRetirement Act (RRA).\n\nBackground\n\nThe Railroad Retirement Board (RRB) administers the retirement/survivor and\nunemployment/sickness insurance benefit programs for railroad workers and their\nfamilies under the RRA and the Railroad Unemployment Insurance Act. These\nprograms provide income protection during old age and in the event of disability, death,\ntemporary unemployment or sickness. The RRB paid over $9.5 billion in benefits during\nfiscal year 2006.\n\nThe RRB\xe2\x80\x99s information system environment consists of two general support systems\nand six major application systems. In accordance with standards and guidance\npromulgated by the National Institute of Standards and Technology (NIST), the RRB\nhas designated each of these systems as \xe2\x80\x9cmoderate impact.\xe2\x80\x9d A moderate impact\nsystem has been defined as a system in which the loss of confidentiality, integrity, or\navailability could be expected to have a serious adverse effect on organizational\noperations, organizational assets, or individuals.\n\nThe various systems that support benefit adjudication and payment under the RRA\ncomprise one of the RRB\xe2\x80\x99s six major application systems. This major application\nsystem includes component applications for information input, benefit calculation, initial\naward and adjustment processing, tax accounting, accounts receivable, mass benefit\nadjustments, recurring payment processing, and records maintenance. The various\ncomponent systems have similar characteristics and security requirements.\n\nDAISY/CHICO is the component of the RRA benefit payment major application system\nthat processes payments initiated in other RRB automated systems. DAISY/CHICO\nreceives data input from these other systems, processes it and creates electronic output\nfiles. These output files update other RRB automated systems with payment\ninformation, including the CHICO Master File which supports the payment of recurring\nRRA annuities. DAISY/CHICO also processes certain other transactions related to\nmaintaining the benefit payment rolls, such as changes of address and changes in\nentitlement status.\n\nThe U.S. Department of the Treasury (Treasury) issues payments on behalf of the RRB.\nDAISY/CHICO produces the electronic data file that transmits detailed payment\n\n\n\n                                             1\n\n\x0cinstructions to Treasury. Prior to release of payment, the RRB must formally authorize\nTreasury to issue the payments through a separate process known as certification.\n\nDAISY/CHICO performs data edits that may cause individual transactions to be rejected\nor referred. Rejected transactions are not processed to completion and require manual\nhandling. Referred transactions are generated when data edits disclose discrepancies\nwhich are not severe enough to cause the system to reject the transaction such as\nthose that do not impact the current benefit payment amount. Referred transactions are\nprocessed to completion but are flagged for further review.\n\nBenefit payment award calculations may be made as much as several days prior to\nDAISY/CHICO processing, depending upon the input system in which the calculation\noriginates. Additionally, a benefit payment input system may pass more than one data\nfile to DAISY/CHICO in a single processing run. A single DAISY/CHICO processing\nrun may also release more than one data file to Treasury for payment. Changes in\nprocessing occur throughout the month, most commonly in the days leading up to and\nimmediately following payment of the recurring monthly annuities. Each month, the\nOffice of Programs prepares an operations calendar showing the various changes in\nprocessing. This calendar is used by the Bureau of Information Services to identify the\nappropriate processing runs.\n\nThis audit was conducted pursuant to the E-Government Act of 2002 (P.L. 107-347),\nTitle III, the Federal Information Security Management Act of 2002 (FISMA), which\nmandates that agencies develop, document, and implement an agency wide information\nsecurity program. The OIG has the responsibility of evaluating the information security\nat the RRB.\n\nObjective, Scope and Methodology\n\nThe objective of this audit was to determine whether application controls in the\nDAISY/CHICO system are operating as designed, and meet the requirements\nestablished by FISMA. Application controls consist of those pertaining to the input,\nprocessing, and the output of data.\n\nTo accomplish our objective, we:\n\n   \xe2\x80\xa2\t obtained and reviewed the RRB\xe2\x80\x99s policies, procedures, and practices pertaining\n      to the application controls in the DAISY/CHICO component system;\n   \xe2\x80\xa2\t identified and assessed the design of DAISY/CHICO input, processing and\n      output controls;\n   \xe2\x80\xa2\t performed sampling and non-sampling tests of transactions; and\n   \xe2\x80\xa2\t interviewed responsible management and staff.\n\n\n\n\n                                            2\n\n\x0cOur tests of transactions included detailed examination of input data and the resulting\npayment output from system activity between February 17 and March 2, 2006.\n\n    \xe2\x80\xa2\t We traced samples of data input from four benefit payment systems, through\n       DAISY/CHICO, to the resulting output data files and systems, to ensure the\n       completeness of DAISY/CHICO processing.1 The details of our sampling\n       methodology and results are presented in Appendix II.\n    \xe2\x80\xa2\t We reviewed all rejected and referred payments, changes of address,\n       suspensions/terminations, and miscellaneous non-payment changes to the\n       CHICO master record for a two week period. We verified whether the\n       transaction had been appropriately controlled, corrected, and reprocessed. The\n       details of our sampling methodology and results are presented in Appendix III.\n    \xe2\x80\xa2\t We verified the accuracy and completeness of payment certifications sent to\n       Treasury for DAISY/CHICO processing for a two week period, including 11\n       DAISY/CHICO certifications for processing that occurred in the days leading up\n       to, including, and immediately following, the March 2006 payment of recurring\n       annuities.\n\nOur primary sources of criteria for this audit were definitions and requirements\npublished by the Office of Management and Budget (OMB), NIST, and internal control\nstandards established by the Government Accountability Office (GAO).\n\nOMB defines information systems as \xe2\x80\x9ca discrete set of information resources organized\nfor the collection, processing, maintenance, transmission, and dissemination of\ninformation, in accordance with defined procedures, whether automated or manual.\xe2\x80\x9d2\n\nFISMA establishes program management and evaluation requirements, as well as\nminimum information security requirements, or controls, to be implemented by Federal\nagencies. In accordance with FISMA, NIST Federal Information Processing Standards\nPublication 200 establishes the NIST Special Publication (SP) 800-53 as the \xe2\x80\x9cMinimum\nSecurity Requirements for Federal Information and Information Systems.\xe2\x80\x9d3 These\nrequirements include system and information integrity controls such as input accuracy,\ncompleteness and validity, error handling, and output handling and retention.\n\nOur work was performed in accordance with generally accepted government auditing\nstandards as applicable to the objective. Fieldwork was conducted at RRB\nheadquarters in Chicago, Illinois during January 2006 through November 2006.\n\n\n\n\n1\n  A glossary of systems considered in this audit is included as Appendix I. \n\n2\n  OMB Circular A-130, \xe2\x80\x9cManagement of Federal Information Resources,\xe2\x80\x9d November 28, 2000.\n\n3\n  NIST SP 800-53, \xe2\x80\x9cRecommended Security Controls for Federal Information Systems,\xe2\x80\x9d February 2005. \n\n\n\n                                                 3\n\n\x0c                                   RESULTS OF REVIEW\n\n\nApplication controls over the input of data to the DAISY/CHICO system and processing\nof data by that system are operating as designed, and meet the requirements\nestablished by FISMA. However, output controls do not meet the requirements of\nFISMA and need to be improved. Our review disclosed weaknesses in output controls\nover rejected transactions and identified a class of transactions for which the output\nrecords do not create adequate transaction history. During our review, we also noted\nthat published payment certification procedures are outdated.\n\nThe details of our findings and recommendations follow. Management has agreed to\ntake the recommended corrective actions, with a proposed alternate solution for\nRecommendation 1. The full text of the Office of Programs\xe2\x80\x99 response is included in this\nreport as Appendix IV.\n\nControls Over Some Rejected Transactions Need Improvement\n\nApplication controls over rejected transactions are not effective in ensuring system and\ninformation integrity. Our review of rejected transactions showed that, in some\nsituations, DAISY/CHICO produced discrepant output records, and rejected\ntransactions requiring manual handling were not always correctly processed.\n\nNIST standards require that security controls for system and information integrity\naddress the handling and retention of system output.4 These standards require that the\noutput from information systems be handled and retained in accordance with\norganizational policy and operational requirements, and that error conditions be\nidentified and handled expeditiously. Good business practice and effective application\ncontrols include the verification of output for accuracy and completeness, and the\nreporting and controlling of errors to ensure appropriate correction.\n\nDiscrepant Output Records\n\nOur review of 55 rejected daily award transactions disclosed three awards for which the\nresults of DAISY/CHICO processing was incorrectly recorded in other systems that\nmaintain information to support benefit adjudication.\n\nIn each of the three questioned cases, DAISY/CHICO received two payment actions\nfrom two different feeder systems. DAISY/CHICO paid one award, and rejected the\nother as a duplicate. However, other components of the RRA benefit payment major\napplication system that report the results of DAISY/CHICO processing inconsistently\nidentify the source of the award action.5\n\n\n\n4\n NIST SP 800-53, \xe2\x80\x9cRecommended Security Controls for Federal Information Systems,\xe2\x80\x9d February 2005.\n5\n The two feeder systems are ROC and RASI, and the resulting output systems are DATAQ and PREH.\nSee Appendix I for the full name and description of these systems.\n\n\n                                                4\n\n\x0cBecause the system update process is automated, further technical examination of the\nresponsible mainframe computer programs involved will be required to determine the\ncause of these errors.\n\nAs a result, the DATAQ system, which is sometimes described as a \xe2\x80\x9csnapshot\xe2\x80\x9d of\nDAISY/CHICO payment activity, contradicts the DAISY/CHICO award and reject listing.\nIn addition, the two systems that received the DAISY/CHICO output contradict each\nother. The contradictory records give the false impression that more than one payment\nwas issued.6\n\nRejected Transactions Not Processed to Completion\n\nOur review of transactions rejected by DAISY/CHICO disclosed that the Office of\nPrograms does not provide adequate follow-up to ensure that such transactions are\nprocessed to completion.\n\nOur review of 133 address changes that were rejected during DAISY/CHICO processing\ndisclosed 32 for which required agency action had not been completed, leaving the old\naddress in the system. We also reviewed six miscellaneous changes to the\nDAISY/CHICO master record that were rejected during processing and identified two\ncases that had not been properly corrected. In one case, the annuitant record\ncontinued to show an incorrect social security number and, in the other, incorrect\nannuity entitlement data.\n\nWhen DAISY/CHICO is unable to process a change as input, the transaction is\nidentified on a reject listing. The Office of Programs distributes the reject listing to its\npersonnel in headquarters and the field service. Personnel that initiate changes are\nexpected to monitor the list, identify rejected transactions that originated with them, and\ntake action to ensure complete processing.\n\nExisting procedures for handling rejected changes of address and other miscellaneous\ncorrections are not fully effective because the Office of Programs does not monitor the\ndisposition of transactions that appear on the change of address and master record\nchange reject listings. In addition, the electronic listing of rejected changes of address,\navailable for review on the RRB\xe2\x80\x99s intranet, is periodically cleared of older items, whether\nthey have been corrected or not.\n\nAs a result of weak controls over the handling of rejected transactions, the agency is\nvulnerable to errors caused by reliance on incorrect data. For example, errors in\nannuitant address records could result in the release of correspondence or checks to a\nwrong address, delaying communication or exposing the agency to loss.\n\n\n\n\n6\n  We reviewed the file certified to Treasury for payment, and confirmed that only a single payment was\nissued.\n\n\n                                                    5\n\n\x0cOther Inconsistent Records\n\nOur review of rejected transactions also included comparison of the corrected data in\nthe DAISY/CHICO master record with the same information in other agency systems.\nWe identified a case in which the date of birth in DAISY/CHICO did not agree with the\ndate of birth in the system that supports Medicare processing. The Office of Programs\ndoes not currently have a procedure to identify such discrepancies and refer them for\nmanual correction.\n\nRecommendations\n\nWe recommend that the Office of Programs:\n\n      1. work with the Bureau of Information Services to identify and correct the cause of\n         the discrepant output records of the kind identified by this audit;\n      2. use one of the existing automated work scheduling systems to control for the\n         correction of rejected changes of address and master record changes; and\n      3. develop procedures to identify and refer for correction date of birth discrepancies\n         of the kind identified by this audit.\n\nManagement\xe2\x80\x99s Response\n\nThe Office of Programs concurs with the recommendations, but has proposed an\nalternate solution for Recommendation 1. They have advised that one of the feeder\nsystems involved is scheduled for obsolescence, and therefore, have agreed to\nimplement additional procedures and training instead of considering program changes.\nThe Office of Programs has also agreed to expand the use of one of the existing\nautomated work scheduling systems, and to develop procedures for the identification\nand correction of date of birth discrepancies.\n\n\nMedicare Reimbursement Transactions\n\nThe RRB does not maintain adequate records of one-time cash refunds of Medicare\npremiums.\n\nGAO standards for internal control in the Federal government require that all\ntransactions and other significant events be clearly documented, and the documentation\nshould be readily available for examination.7 Such documentation should be complete,\naccurate, and facilitate tracing the transaction or event and related information from\nauthorization and initiation, through its processing, to completion.8 NIST standards\nspecifically require that security controls ensure that system output is handled and\n\n\n7\n    \xe2\x80\x9cStandards for Internal Control in the Federal Government,\xe2\x80\x9d GAO/AIMD-00-21.3.1 (11/99), page 15.\n8\n    \xe2\x80\x9cInternal Control Management and Evaluation Tool,\xe2\x80\x9d GAO-01-1008G (8/01), page 43.\n\n\n                                                     6\n\n\x0cretained in accordance with organizational policy and operational requirements.9\nProcedures published in the RRB\xe2\x80\x99s Retirement Claims Manual state that the PREH\ndatabase is to be updated daily for entitlement and rate information, including Medicare\npremium adjustments, for RRB beneficiaries.\n\nOur review disclosed 18 refunds of Medicare premiums that had not been recorded in\nany electronic history system.10 The questioned transactions were reimbursements to\nbeneficiaries who had paid premiums which had also been paid by their state\xe2\x80\x99s\nMedicare premium buy-in program.\n\nUpon further inquiry, we were advised that information about this type of refund was\ndeliberately excluded from the automated systems that support general claims\nprocessing and Medicare premium collection.11 Although these refunds are included in\nthe electronic audit file for the system where the refund transaction originates, that file is\ninsufficiently detailed to distinguish Medicare premium refunds from other one-time\npayments.12 In addition, the audit file of a feeder system is not an adequate substitute\nfor a true record of processed DAISY/CHICO output.\n\nAs a result, a comprehensive review of Medicare refund payments would require\nexamination of multiple sources such as electronic audit files, imaged documents,\naward and reject listings, and a payment support system maintained by Treasury.13\nSuch a cumbersome manual process does not meet either GAO or NIST standards.\n\nRecommendation\n\n     4. We recommend that the Office of Programs request programming changes as\n        necessary to ensure that refunds of Medicare premiums are stored in an\n        electronic payment history system which can be easily accessed for subsequent\n        review or analysis.\n\nManagement\xe2\x80\x99s Response\n\nThe Office of Programs concurs with the recommendation and will develop a database\nto maintain Medicare premium collections and refunds.\n\n\n\n\n9\n  NIST SP 800-53, \xe2\x80\x9cRecommended Security Controls for Federal Information Systems,\xe2\x80\x9d February 2005. \n\n10\n   The refunds identified during our audit were initiated through the SURPASS system as one-payment\n\nonly awards which are subsequently passed to the DAISY/CHICO system for payment. See Appendix I \n\nfor the full name and description of this system. \n\n11\n   Such as the PREH, MIRTEL, or MOLI systems. See Appendix I for the full name and description of \n\nthese systems. \n\n12\n   The audit file refers to a record of transactions processed by the SURPASS system. \n\n13\n   The SURPASS audit file, imaged SURPASS documentation, DAISY/CHICO award and reject listings, \n\nand the Treasury PACER system. See Appendix I for the full name and description of these systems. \n\n\n\n                                                 7\n\n\x0cPayment Certification Procedures Are Out of Date\n\nPayment certification procedures published in the RRB\xe2\x80\x99s Retirement Claims Manual are\noutdated and do not reflect current practice.\n\nGAO standards for internal control in the Federal government require that controls,\nincluding policies and procedures, be clearly documented and that documentation be\nproperly managed and maintained.14 NIST standards require organizations to develop,\ndisseminate, and periodically review and update formal documented procedures to\nfacilitate the implementation of the system and information integrity policies and\ncontrols. 15\n\nThe Treasury issues payments on behalf of the RRB through a process in which the\nRRB \xe2\x80\x9ccertifies\xe2\x80\x9d that payment should be made. Sections of the Retirement Claims\nManual describing procedures for the certification of payments to Treasury have not\nbeen updated since 2003. During our review, we noted that existing procedures refer to\nan obsolete system which was replaced in 2004.16 Office of Programs\xe2\x80\x99 personnel\nresponsible for certification of payments to Treasury told us they rely solely on the\ninstructional packets they received when training was provided for the replacement\nsystem.\n\nInadequate and outdated procedures increase the risk that transactions will not be\nprocessed consistently or accurately.\n\nRecommendation\n\n     5. We recommend that the Office of Programs review and revise published \n\n        procedures for the certification of payments to Treasury. \n\n\nManagement\xe2\x80\x99s Response\n\nThe Office of Programs concurs with the recommendation and has agreed to revise the\nprocedures for the certification of payments to Treasury.\n\n\n\n\n14\n   \xe2\x80\x9cStandards for Internal Control in the Federal Government,\xe2\x80\x9d GAO/AIMD-00-21.3.1 (11/99), page 15.\n15\n   NIST SP 800-53, \xe2\x80\x9cRecommended Security Controls for Federal Information Systems,\xe2\x80\x9d February 2005.\n16\n   Electronic Certification System was replaced by Secure Payment System in 2004.\n\n\n                                                 8\n\n\x0c                                                                             Appendix I\n\n\n                                 Glossary of Systems\n\nASTRO - Automated System to Recover Overpayments -- A system designed to\nmonitor the various phases in the overpayment recovery process and to initiate\nsuspension or award actions at the proper time in order to begin or conclude recovery.\n\nCHICO - Checkwriting Integrated Computer Operation -- The benefit payments\ncheck writing operation. CHICO screens all awards and suspension/termination actions\nagainst the master benefit payment file and updates the master file with the new\ntransactions.\n\nDAISY - Daily Activity Input System -- The system that produces a record of all award\nactivity involving the payment of benefits. DAISY edits all award records to ensure\ncompleteness and balances individual voucher batches. DAISY\xe2\x80\x99s output becomes the\ninput of the CHICO program.\n\nDAISY COA REJECTS -- An electronic report of rejected change of address\ntransactions. Field offices are responsible for reviewing the report each day and\npreparing corrected transactions, as necessary.\n\nDATAQ - Data Query -- An on-line system that allows access to selected data in the\nCHICO file.\n\nIMAGING System -- A system used to store electronic images of documents\nobtained/created during processing. Documents include correspondence from\nannuitants and electronic output such as awards, award letters, and rejects from the\ndaily payment processing system.\n\nMIRTEL - Medicare Information Recorded, Transmitted, Edited and Logged -- A\nsystem that records and maintains health insurance information for all eligible aged and\ndisabled beneficiaries regardless of enrollment or annuity status.\n\nMOLI - MIRTEL On-Line Inquiry -- An on-line system that allows access to selected\ndata in the MIRTEL file.\n\nPACER - Payments Accounting Claims Enhancements Reconciliation -- A U.S.\nDepartment of the Treasury System which allows users to query information, create\nclaims, and request digital images of negotiated checks of all payments issued by their\nagency.\n\nPARS - Program Accounts Receivable System -- A system which contains an\naccounts receivable record for every overpaid annuitant under the Railroad Retirement\nAct. PARS provides for the automation of tracking and maintenance of accounts\nreceivable originating from benefit overpayments.\n\nPAYBACK - On Line Cancelled Payment Data -- A system which provides on-line\nviewing access of cancelled checks and returned direct deposit/electronic funds transfer\npayments.\n                                           9\n\n\x0c                                                                             Appendix I\n\n\n\nPREH - Payment, Rate, and Entitlement History -- A system which contains\nentitlement and historical rate information for employee, spouse and survivor railroad\nannuitants.\n\nRASI - Retirement Adjudication System-Initial -- A system which adjudicates,\ncalculates and awards initial employee and/or spouse annuities.\n\nRESCUE \xe2\x80\x93 Recalculate for Service and Compensation Updated to EDM --A system\ndeveloped to automate annuity adjustments in response to changes in railroad service,\nrailroad compensation, or social security wages posted to the Employment Data\nMaintenance (EDM) database, and Separation Allowance Lump Sum Annuity (SALSA)\npayments in response to changes made in the separation payments master records.\n\nREQUEST - RASI Examiner Query Using Electronic System Terminals -- A system\nwhich allows on-line access to selected data in the RASI file.\n\nROC - Retirement On-Line Calculations -- An on-line system for calculating and\npaying retirement awards.\n\nSTAR - System of Tracking and Reporting -- A work management system used to\nassign and control work. STAR tracks a case from receipt until completion.\n\nSURPASS - Survivor Payments System -- An on-line system for calculating and\npaying survivor awards. Retirement annuities due but unpaid at the time of death, and\none-payment-only awards for the reimbursement of Medicare premiums are also paid\nthrough SURPASS.\n\nTAS - Taxation Accounting System -- A database used to account for all payments to,\nand recoveries from, each beneficiary for tax reporting purposes.\n\nWEB CONNECTOR -- The browser that allows for viewing of documents that are in the\nImaging System.\n\nWORKDESK -- An electronic workflow system that is used to manage, assign, control\nand view documents that are in the Imaging System.\n\nWORKLIST -- An inquiry and update system which is designed to accept and display\ntransaction records from numerous systems used at the RRB. These transactions may\nbe notices of rejects, requests for additional information, situations needing\ninvestigation, or any category of work requiring action.\n\n\n\n\n                                           10\n\n\x0c                                                                              Appendix II\n                     SAMPLING METHODOLOGY AND RESULTS\n                          Completeness of Processing\n\nWe used a combination of statistical sampling and 100% review to evaluate the\neffectiveness of controls in ensuring the completeness of Daily Activity Input\nSystem/Checkwriting Integrated Computer Operation (DAISY/CHICO) processing.\n\nAudit Objective\n\nThe objective of our test was to determine whether existing controls are effective in\nensuring the completeness of DAISY/CHICO processing.\n\nDAISY/CHICO processes payments as well as non-payment corrections such as\nchanges of address. We consider processing complete if all transactions input to\nDAISY/CHICO are fully processed so that:\n\n    \xe2\x80\xa2\t payments are properly certified to Treasury and issued;\n    \xe2\x80\xa2\t other RRB systems are updated to reflect the results of payment processing\n       according to system design;\n    \xe2\x80\xa2\t non-payment record corrections correctly update other RRB systems; and\n    \xe2\x80\xa2\t rejected transactions are properly identified.\n\nScope\n\nWe selected transactions for testing from data input files created between February 17\nand March 1, 2006, and processed by the DAISY/CHICO system between February 22\nand March 1, 2006.\n\nWe did not test all input files processed by DAISY/CHICO during that period; we limited\nour tests to transactions originating in the following selected applications that support\nthe processing of retirement and survivor benefits:\n\n   \xe2\x80\xa2\t Retirement Adjudication System - Initial (RASI),\n   \xe2\x80\xa2\t Retirement On-Line Calculations (ROC),\n   \xe2\x80\xa2\t Survivor Payments System (SURPASS), and\n   \xe2\x80\xa2\t Automated System to Recover Overpayments (ASTRO).\n\n\nSampling Methodology\n\nWe identified 16 groups of transactions (input files) for testing based on the application\nin which the transactions originated (input system) and the date on which the input files\nwere created. Each group was treated as a separate universe. The sampling unit was\na single input record within that universe.\n\nWhen the universe was small, we examined 100% of the transactions; larger universes\n(more than 150 transactions) were evaluated using statistical attribute discovery\n\n                                            11\n\n\x0c                                                                                        Appendix II\n                       SAMPLING METHODOLOGY AND RESULTS\n                            Completeness of Processing\n\nsampling with sample sizes determined based on a desired 90% confidence and 2%\ntolerable error rate. Using these sampling parameters, if no errors are identified, the\nauditor may infer with 90% confidence that the occurrence rate of errors does not\nexceed approximately 2%.\n\nWe selected a total of 1,246 transactions for review. Transactions in the attribute\ndiscovery samples were selected at random. A table summarizing the transaction\ngroupings, and the number of transactions selected for review from each group is\npresented on the last page of this appendix.\n\nReview Methodology\n\nTo determine completeness of processing, we traced each transaction selected for\nreview to the applicable DAISY/CHICO output which includes:\n\n     \xe2\x80\xa2   a payment on a transaction file sent to Treasury,\n     \xe2\x80\xa2   a non-payment record correction,\n     \xe2\x80\xa2   a rejected activity.\n\nWe also traced each sample item to the automated systems that maintain the historical\nrecord of benefit payment processing: the Payment, Rate, and Entitlement History\n(PREH) and/or Taxation Accounting System (TAS) databases, as applicable.\n\nAn error was defined as any input record which could not be traced to the resulting\nDAISY/CHICO output or had not been properly updated to the applicable historical\nsystem.17\n\nResults of Review\n\nWe found that all transactions were processed in accordance with management\xe2\x80\x99s\ndirectives. However, our tests identified 18 Medicare refunds for which output records\nare not maintained in other agency systems that support benefit adjudication and\npayment processing, which is a control weakness.\n\nConclusion\n\nWe conclude with 90% confidence that incomplete processing would not exceed\napproximately 2% of DAISY/CHICO transactions. We recommend no corrective action.\n\nHowever, the RRB needs to improve output controls over the refund of Medicare\npremium refunds. The details of our findings and recommendation are presented in the\nbody of this report.\n\n\n17\n  Transactions that were not updated to PREH or TAS based on their attributes, were verified by the\nauditors and are not considered errors. For example, a non-taxable payment would not be updated to the\nTAS database. See Appendix I for the full name and description of these systems.\n\n                                                 12\n\n\x0c                                                                             Appendix II\n                    SAMPLING METHODOLOGY AND RESULTS\n                         Completeness of Processing\n\nThe following table details the sources of transactions reviewed during our tests of\ncompleteness and the number of transactions reviewed compared to the universe of\ntransactions. It also shows whether we reviewed all the records in the universe or\nselected records randomly as part of a statistical attribute discovery sample.\n\n                INPUT\n   INPUT       SYSTEM        DAISY RUN     UNIVERSE      SAMPLE        SELECTION\n  SYSTEM        DATE           DATE          SIZE         SIZE       METHODOLOGY\n    RASI        02/17/06      02/22/06              18        18       100% Review\n    RASI        02/21/06      02/22/06              16        16       100% Review\n    RASI        02/22/06      02/24/06              18        18       100% Review\n    RASI        02/23/06      02/24/06              20        20       100% Review\n                                                                   Discovery Acceptance\n    RASI        02/24/06      02/27/06             642       105\n                                                                         Sampling\n                                                                   Discovery Acceptance\n    RASI        02/27/06      02/28/06             292        95\n                                                                         Sampling\n                                                                   Discovery Acceptance\n    RASI        02/28/06      03/01/06             236        91\n                                                                         Sampling\n    ROC         02/22/06      02/22/06             106       106       100% Review\n                                                                   Discovery Acceptance\n    ROC         02/24/06      02/24/06             180        85\n                                                                         Sampling\n                                                                   Discovery Acceptance\n    ROC         02/28/06      02/28/06             522       103\n                                                                         Sampling\n                                                                   Discovery Acceptance\n    ROC         03/01/06      03/01/06             192        86\n                                                                         Sampling\n                                                                   Discovery Acceptance\n SURPASS        02/22/06      02/22/06             161       82\n                                                                         Sampling\n                                                                   Discovery Acceptance\n SURPASS        02/24/06      02/24/06             205       88\n                                                                         Sampling\n                                                                   Discovery Acceptance\n SURPASS        02/28/06      02/28/06             668       105\n                                                                         Sampling\n                                                                   Discovery Acceptance\n SURPASS        03/01/06      03/01/06             201       87\n                                                                         Sampling\n   ASTRO        02/27/06      02/27/06             141       141       100% Review\n\n\n                 Total Number of Transactions Reviewed     1,246\n\n\n\n\n                                             13\n\n\x0c                                                                             Appendix III\n\n                    SAMPLING METHODOLOGY AND RESULTS \n\n                       Rejected and Referred Transactions \n\n\nWe performed non-sampling tests (100% review) to assess the effectiveness of controls\nover transactions rejected or referred from Daily Activity Input System/Checkwriting\nIntegrated Computer Operation (DAISY/CHICO).\n\nAudit Objective\n\nThe objective of our test was to determine whether rejected and referred transactions\nhad been properly controlled, corrected, and reprocessed.\n\nScope\n\nWe reviewed every transaction that was rejected or referred by DAISY/CHICO during\nthe two week period from February 17 through March 2, 2006, which included eight\nDAISY/CHICO runs consisting of payments, change of address requests,\nsuspension/termination actions, and miscellaneous non-payment changes to the\nCHICO master record. A total of 236 transactions fell within the scope of audit testing.\n\nReview Methodology\n\nFor each of the transactions within the scope of audit testing, we reviewed supporting\ninput and output systems for evidence of the rejected or referred transaction and/or its\nsubsequent correction and reprocessing. An error was defined as any rejected or\nreferred transaction that had not been properly corrected and reprocessed or that had\nbeen inappropriately dropped from processing.\n\nResults of Non-Sampling Tests\n\nOur review of 236 rejected and referred transactions identified 3 rejected awards with\ndiscrepant output records; and 32 changes of address and 3 rejected master record\nchanges that had not been adequately controlled, corrected, and reprocessed.\n\nThe details of the DAISY/CHICO processing dates, the corresponding number of\nrejected/referred transactions, and the number of audit exceptions are presented on the\nnext page of this appendix.\n\nAudit Conclusion\n\nBased on the results of our tests, we concluded that the Office of Programs needs to\nimprove controls over rejected transactions. The details of our findings and\nrecommendation are presented in the body of this report.\n\n\n\n\n                                            14\n\n\x0c                                                              Appendix III\n\n      SAMPLING METHODOLOGY AND RESULTS\n         Rejected and Referred Transactions\n\nDAISY/CHICO              DAISY/CHICO\nPROCESSING            REJECTED/REFERRED            AUDIT\n   DATE                 TRANSACTIONS             EXCEPTIONS\n                         Daily Awards\n  02/17/06                               14               0\n  02/21/06                               12               0\n  02/22/06                                3               0\n  02/24/06                                2               0\n  02/27/06                                9               0\n  02/28/06                                9               3\n  03/01/06                                4               0\n  03/02/06                                2               0\n             Total                       55               3\n                Change of Address Requests\n  02/17/06                             27                 5\n  02/21/06                              0                 0\n  02/22/06                              0                 0\n  02/24/06                              0                 0\n  02/27/06                             64                17\n  02/28/06                              8                 0\n  03/01/06                             15                 5\n  03/02/06                             19                 5\n             Total                    133                32\n         Suspension and Termination Actions\n  02/17/06                          11                    0\n  02/21/06                           0                    0\n  02/22/06                           0                    0\n  02/24/06                           0                    0\n  02/27/06                          22                    0\n  02/28/06                           6                    0\n  03/01/06                           0                    0\n  03/02/06                           3                    0\n           Total                    42                    0\n                     Master Record Changes\n  02/17/06                                   0            0\n  02/21/06                                   0            0\n  02/22/06                                   0            0\n  02/24/06                                   0            0\n  02/27/06                                   0            0\n  02/28/06                                   0            0\n  03/01/06                                   0            0\n  03/02/06                                   6            3\n             Total                           6            3\n All Activity                           236              38\n\n\n\n\n                                  15\n\n\x0c\x0c\x0c\x0c'